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[57] ABSTRACT 

The present invention discloses a method for auditing and 
controlling overt and covert communication traflSc in a 
communication system. The present invention identifies and 
uses a few parameters to characterize system communica- 
tion traffic: file volume (V), the frequency (F), the order (O), 
the (extrinsic) nature (N) of communication between a given 
pair of nodes and the length (L) (or duration) of transmis- 
sion. Using one or a combination of the parameters V, F, O, 
N, L, the invention determines "basehne" system conditions, 
and audit the behavior and operations of overt and covert 
communication activity to detect "out-of-baseline" traffic 
patterns. To further prevent covert channel communications, 
the present invention introduces an adaptive transmission 
scheduhng policy and a channel handling policy based upon 
a channel auditing mechanism. Hie covert channel handling 
policy of the invention controls the cover! ciiannel capacity 
for noiseless and noisy channels by changing the granularity 
of change of idle slots in the system. An auditability thresh- 
old is used to determine the range of system operations that 
is accepted as "normal or baseline." When a communication 
system under supervision is observed to be falling out of 
"normal or baseline" range, a system audit can be initiated 
to detect system faults and control overt and covert com- 
munication traffic. 

16 Claims, 13 Drawing Sheets 
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DETERMINE AUDHABLE LOAD 
GIVEN AUDITABILITY THRESHOLD 0: 
Load(+0) = [Load(base) + Load(base) X0 ] 
Load(- 0) = [Load(base) - Load(base) XQ ] 
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DETERMINE AUDITABLE LOAD 
GIVEN AUDITABILrrY THRESHOLD 0: 
Load(+ 0) = Load(base) + [Load(base) X 0/n] 
Load(- 0) = Load(base) - [Load(base) X 0/n] 



DETERMINE IDLE SLOTS: 

IdleSIot(+ 0) = [60 X (n-iy {Load(+ 0) X Ts}] - n(n-l) 

IdleSlot(-0) = [60 X (ii-l)/{Load(-0) X Ts}] - n(n-l) 
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DETERMINE IDLE SLOTS: 
IdleSlot(+ 0) = [60 X (n-iy {Load(+ 0) X Ts}] - n(n-l) 
IdleSlo1(-0) = [60 X (n-l)/{Load(-0) X Ts}] - n(n-l) 
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MAXIMUM SYMBOLS AVAILABLE: 
States(max) = IdleSlot(+0) - Id]eSlot(-0) 



MAXIMUM CHANNEL CAPACITY: 
C(max) = log2(States(max))/60 (bps) 
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CHANNEL CAPACITY WITH HANDLING: 
C6 = [log2(States(inax))/(5]/60 (bps) 
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BACKGROUND OF THE INVENTION 

1. Field of the Invention 

The present invention relates to the field of system 
communication auditing, and in particular to overt and 
covert communication channel traffic auditing and control- 
ling. 

2. Background Art 

Communication systems, such as a computer network, 
often provide the capability to send messages between 
computers, between users, or between systems, to share 
resources, and to provide remote access to users. Commu- 
nications systems are subject to various levels of security. 
For example, there may be a password required to be an 
active user on the communication system. There may be 
restrictions on certain types of data transfers between users. 
There may be different classes of users with different per- 
missions to use the communication system. Messages may 
be encrjfpted so that only authorized users can read the 
messages. The rules and restrictions of a commtmications 
system are referred to here as the system's security policy. 
A problem with current communications systems is an 
inability to recognize and prevent certain types of misuse of 
the system that violate the system security policy. Another 
problem with current communications systems is an inabil- 
ity to quantify system parameters such as data traffic, timing, 
storage, and other performance indicators. 

A communication system can be said to be made up of 
"overt" and "covert" channels. A channel is a communica- 
tion path in the communication system. For example, in a 
computer network, the conducting medium that connects 
two computers together (e.g. twisted pair, ethemet, token 
ring network, etc.) is a physical channel. An overt channel 
is a logical communication path that is intended to be part of 
the communication system (e.g. the conducting mediiun). A 
covert channel is a communication channel that allow the 
transfer of information in a manner that violates or breaches 
the system's security policy. 

When someone attempts to circumvent or disobey the 
security policy of a system, it is said that the communica- 
tions system is under "attack". The person attacking the 
system is referred to as an intruder, a malevolent user, a 
hacker, or simply as an unauthorized user. The communi- 
cation of an attacker is referred to as an illicit ( 



An example of one way that an attacker uses a covert 
channel for illicit communication is to attempt to use the 
presence or absence of messages to encode information. 
Another method is to use the number of messages 
exchanged to encode information. The attacker could also 
have the timing of messages, the identity of the sender or 55 
receiver, or the size of the message represent information. If 
it is possible for an attacker to utilize a system to commu- 
nicate information as described in the above and Hke 
examples, it is said that a covert communication channel 
exists. go 

By way of background, attacks on a communication 
system are either active attacks or passive attacks. Active 
attacks on a commimication system may result in unautho- 
rized information release or modification or denial of 
resources. That is, the attacker actually accesses the network 65 
to send false information or to obtain information in viola- 
tion of the security policy. The security of an overt com- 



n channel can be compromised in an active attack 
when an intruder taps into a communication system or 
network and discards or delays all communication packets 
going in one or both directions. Thus, a node or a group of 
nodes that are completely cut off from the rest of the system 
by the intruder has no way of determining when the next 
packets should be arriving from its correspondent peer 
entity. 

In a passive attack, the intruder simply releases the 
' contents of a message or mounts a traffic analysis attack to 
infer user behavior or exploit covert channels. That is, as 
described above, the presence, timing, size, and/or address- 
ees of data transfers represent trafBc characteristics that can 
be used to communicate using a covert channel. 
' Covert channels in computer systems are generally clas- 
sified into two categories, storage and timing covert chan- 
nels. Covert storage channels involve the direct or indirect 
modification of storage memory by one process (the sender 
of a covert message) and the direct and indirect reading of 
' the memory location by another process (the receiver of the 
covert message). Covert timing channels are exploited when 
the sender process modulates the use of its own resources in 
a manner that affects the response of the receiver process. In 
both cases, for a covert channel to exist, the sender and 
' receiver must share some common computational resource. 
A potential system hacker, attacker, or malevolent user 
may attempt to eavesdrop on the system by establishing a 
passive monitoring system and gathering information by 
inference or analyzing the system traffic. For example, by 
observing either the volume of communication between a 
source and a destination or the overall communication 
volume among nodes in the system, an eavesdropper can 
gain some insight into the behavioral patterns of the system 
users. Using the insight thus gained, the malevolent user can 
' exploit the system covert channels by collaborating with 
another malevolent user or a willing accomplice. 

Some examples of covert channels can be found in 
"Transmission Schedules To Prevent Traffic Analysis," 9th 
J Annual Computer Security and Applications Conference, 
1993, Orlando, Fla., B. R. Venkatraman and R. E. Newman- 
Wolfe, incorporated herein by reference. 

A typical transmission system and a scheme for using it 
covertly are illustrated in FIGS. 1, 2 and 3. FIG. 1 shows a 
j slotted time packet transmission system. A slot is the basic 
time unit during which a given node may send or receive at 
most one packet. If at most one node of a total of n nodes 
can transmit per slot, then n(n-l) slots are needed to 
complete a transmission between all nodes in the system. If 
) all n nodes can transmit in a slot, then at most n slots are 
needed. On the average, therefore, some number of slots 
between n and n(n-l) are needed to complete a transmis- 



Referring to FIG. 1, a period is a set of successive slots 
during which one phase of the transmission schedule is 
carried out. In this model, a period consists of n(n-l) active 
slots and m idle slots, if n(n-l) slots are needed to complete 
one phase of a transmission schedule. A cycle comprises a 
set of successive periods in a cycle. 

A covert channel due to transmission frequency can exist 
in a system such as shown in FIG. 1. FIG. 2 shows an 
example of a covert channel due to transmission firequency. 
Referring to FIG. 2, if a user on node i communicates with 
another user on node j more frequently than he does with 
other nodes in the system, or exchanges packets with the 
node at a predetermined frequency, then a covert channel 
could exist. For example, the user at node i and j could 
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encode some information in the frequency of 
tion between them. Users may seem to be conducting normal 
and non-covert communication if only overt channels are 
monitored. However, the users may be exchanging infor- 
mation surreptitiously in unmonitored covert channels by 5 
timing the communication. 

In FIG. 2, information can be encoded by timing the 
transmission of packets. In this case, by computing the 
interarrival times, i.e., the time interval between the previous 
message and the current message, the intruder and an lo 
accomplice can succeed in creating a covert channel. 

Even if the average frequency is held constant by equal 
volume restrictions and each node agrees to send exactly one 
packet to every other node per period, the position of the 
packet transmitted to a particular node within the period i-"" 
could contain information, i.e., by Pulse Position Modula- 
tion. The bandwidth of this covert channel could be as large 
as log(n(n-l)»<2 log n bits/period. 

FIG. 3 is an example of a covert channel using transmis- 
sion order. In FIG. 3, a node in a system sends a packet to ^° 
node AfoUowed by a packet to node B to encode "1" and the 
reverse order (BA) to encode "O". If the intruder and his 
accomplice(s) can affect the transmission order in k nodes, 
then k! transmission orders are possible. Thus, the band- 
width of this covert channel could be as large as Iog(k!)£k/2 """^ 
log k bits per period. In this case, the intruder and his 
accomplice have encoded information by transmitting pack- 
ets in a predetermined iirdcr so that they can communicate 
between themselves and with other nodes in the system. 

Thus, an intruder may deduce important information from 
the mere presence of message traffic in a communication 
system. This information, then, may be used to extract or 
infer information on the activity or intentions of unsuspect- 
ing system members, or to provide a covert channel for 
communication between an intruder and an accomplice in 
the system. A secure communication system needs to be 
designed to prevent traffic analysis, and to prevent subse- 
quent creation or exploitation of network covert channels. 
Countermeasures need to be implemented to prevent traffic ^ 
analysis and mask the amount and nature of traffic between 
origin-destination pairs within the system. 

The two basic approaches to communication security are 
(1) link-oriented security measures, which provide security 
by protecting message traffic independently on each com- 45 
munication Hnk, and (2) end-to-end security measures, 
which provide protection for each message from its source 

In a system employing link-oriented measure, encryption 
is performed independently on each communication link. A 50 
link-to-link security mechanism, however, requires that 
source, destination, and intermediate nodes be physically 
secure. If one single node becomes corrupt and cooperates 
with a potential attacker, the message traffic passing through 
that node will be exposed. 55 

End-to-end security mechanisms do not suffer from the 
problems of link-to-link mechanisms. However, end-to-end 
security mechanisms cannot mask traffic patterns and thus 
cannot prevent all traffic analysis. 

Covert channels can be eliminated by avoiding resource 60 
sharing. But this can be often impractical. There are, 
however, a few mechanisms that can be used to achieve 
protection beyond simple encryption and to prevent traffic 
analysis, thereby reducing the bandwidth of covert channels, 
if not eliminating them. In a "No Idle Slots" scheme, if the 65 
system is utilized at full capacity as allowed by a protocol, 
the idle slots can be completely eliminated and so can any 



possibihty of covert channels. However, if a node is using all 
its capacity, i.e., there are no idle slots in a period, then the 
scheme is costly because the volume of true traffic may be 
only a fraction of the capacity being used due to padding. 

In a "Capacity Limitation" scheme, the times at which the 
scheduHng policy can respond to variations in the load are 
restricted. Since the cycle length is considerably longer than 
the period length, the nodes will have to buffer all the 
packets generated due to the additional load (in this cycle) 
and dispatch them at the usual rate. The nodes have to wait 
until the beginning of a new cycle before the period char- 
acteristics can be changed. Thus, a user trying to create a 
covert channel would be unsuccessful and no information is 
communicated. Since the cycle boundaries are far apart, the 
bandwidth of the covert channel is considerably reduced and 
is noisy. The capacity limitation scheme could introduce 
severe queuing delays and adversely affect the Quality of 
Service (QOS) requirements. 

SUMMARY OF THE INVENTION 
The present invention discloses a method for auditing and 
controlling overt and covert communication traffic in a 
communication system. The invention identifies and uses 
certain parameters to characterize system communication 
traffic: the volume (V) of communication between a given 
pair of nodes, the frequency (F) of communication between 
a given pair of nodes, the order (O) of communication 
between a set of nodes, the (extrinsic) nature (N) of com- 
munication between a given pair of nodes, and the length (L) 
(or duration) of transmission. Using one or a combination of 
the parameters V, F, O, N, L, the invention determines 
"baseline" system conditions, and audit the behavior and 
operations of overt and covert communication activity to 
detect "out-of-baseline" traffic patterns. This allows the 
invention to statistically monitor the security characteristics 
of overt and covert channel traffic and detect system faults. 

To further prevent covert channel communications, the 
present invention introduces an adaptive transmission 
scheduling policy and a channel handling policy based upon 
a channel auditing mechanism. In the preferred embodiment 
of the invention, an auditability threshold is used to deter- 
mine the range of "normal or baseline" system operations. 
The covert channel handling policy of the invention controls 
the covert channel capacity by changing the granularity of 
change of idle slots in the system. With coarser granularity, 
a sender can cause a large enough change in the system load 
for the number of idle slots to change. This improves the 
auditability of the channel and reduces the covert channel 
capacity for noiseless and noisy channels. The invention also 
develops a method that can be used to derive the values of 
the granularity of change of idle slots from a desired channel 
capacity. 

BRIEF DESCRIPTION OF THE DRAWINGS 
FIG. 1 shows a slotted time packet transmission system. 
FIG. 2 shows an example of a covert channel using 
transmission frequency. 

FIG. 3 is an example of a covert channel using transmis- 

FIG. 4 is a diagram of an example of a network system 
constructed in accordance with the present invention. 

FIG. 5 shows a static transmission scheduling policy. 

FIG. 6 is an example of changing transmission charac- 
teristics in an adaptive scheduling policy. 

FIG. 7 is a flow chart illustrating a node negotiating to 
change the number of active slots. 



FIG. 8 shows an example of the distribution of the change 
in system communication traf&c volume over one minute 
intervals. 

FIG. 9 shows the channel capacities for different audit- 
ability thresholds, 6. 

FIG. 10 shows the effect of different handling policies at 
different load conditions on the covert channel capacity for 
a noiseless channel. 

FIG. 11 shows the effect of granularity on covert channel _^ 
capacity. 

FIG. 12A is a flowchart for monitoring communication 
trafSc and determining channel capacities for noiseless and 
noisy channels according to preferred embodiment of the 
invention. ] 

FIG. 12B is a flowchart describing a fault detection 
method. 



A method of auditing, estimating capacity of 
channels and controlling overt and co 
traffic is described. In the following description, numerous 
specific details arc set fi)rth in order lo provide a more 
thorough understand in g ol' tlie present invention. It wiU be 
apparent, however, to one .sl<illed in the art, that the present 
invention may be practiced without these specific details. In 
other instances, well known features have not been 
described in detail so as not to obscure the present invention. 

In the context of secure communications, security means 
more than just simple encryption of messages, and often 
requires prevention of communication traffic analysis. By 
creating a neutral trafSc matrix in which, regardless of the 
original traffic pattern, even communication levels are 
observed in the system, and auditing overt and covert 
channel communications in the neutral traffic matrix, the 
invention prevents a potential intruder from attacking the 
communication system and deriving useful information 
from it. ^ 

To provide a neutral traffic matrix, the present invention 
introduces padding and rerouting. The traflBc matrix is 
padded with dummy packets so that the volume of each 
inter-node communication is the same. Rerouting sends a 
packet first to an intermediate node, which forwards the 45 
packet to its true destination so that by the second hop, the 
packet is delivered to its final destination. In the present 
invention, transport layers of each node agree to forward 
rerouted messages to their true destination once they are 
received and initially decoded. The present invention, jq 
however, does not require any assumptions regarding packet 
routing in the network layers. 

Thus, the system according to a preferred embodiment of 
the present invention smoothes the traffic matrix by rerout- 
ing and evens the traffic flow by padding to provide spatial 55 
neutrality of a communication system and to eliminate 
variation in the relative volume of communication trafiic. 

FIG. 4 is a diagram of an example of a network system 
constructed in accordance with the invention. The embodi- 
ment in FIG. 4 iUustrates nodes 401, 402, 403, and 404. In 60 
FIG. 4, each node comprises a host computer, a TCB and 
other necessary networking peripherals. A node may com- 
prise a communication network, shown as 404, which com- 
prises a cluster of computers and may use a separate 
communication protocol within network 404. The embodi- 65 
ment shown in FIG. 4 is not restricted to any particular 
n protocol, and may use any suitable protocols 



including TCP (Transmission Control Protocol) and UDP 
(User Datagram Protocol) for communication. 

Referring to FIG. 4, it is possible for node 401 to send a 
packet first to intermediate node 403. Node 403 forwards the 
packet to its true destination 402. In the preferred embodi- 
ment of the present invention, transport entities in each of 
nodes 401, 402, 403, and 404 agree to forward rerouted 
messages to their true destination once they are received and 
initially decoded. 

A TCB is established to administer central issues for the 
network, such as authentication and network monitoring or 
auditing. A separate server can be reserved for this purpose 
or the TCB function can be implemented on an existing 
server, such as authentication server or name lookup server. 

Spatial neutrality alone is not sufficient to ensure system 
wide security and there may be possible variations of 
communication traffic patterns over time. For example, a 
source may decide to send packets in a burst or spread out 
its transmission over a period of time. A malevolent user 
may be able to use timing to encode his messages to his 
accomplice, thereby creating covert channels. 

It is possible to identify and use the following parameters 
to characterize system communication traffic and audit overt 
and covert channels: 



nication between each pair of nodes is the same and the 
system does not require this inl'ormation to be secret. By 
imposing the neutrality criterion on the original traffic 
matrix, we can ehminale the volume of communication 
between any pair of nodes as a contributing factor to the 
covert channel. 

The frequency (F) of communication between a given pair 
of nodes can be used lo analyze and exploit a system 

tion to exploit covert communication channels. 

The Order (O) of communication between a set of nodes 
in the system. Given that the long term volume of commu- 
nication and the frequency of communication between each 
pair of nodes in the system to be the same (due to the V and 
F criteria discussed above), the order of communication 
becomes relevant. For example, if a node sends a packet to 
node i before sending a packet to node j versus sending a 
packet to node j before sending a packet to node i, then 
information can be encoded in the order in which nodes 
with one another. 

Nature (N) of communication between a 
given pair of nodes. Given that the volume, frequency and 
order of communication are to be same (due to the V, F and 
O criteria discussed above), the nature of the communication 
becomes relevant. If the packets are encrypted (end-to-end 
encryption), the intruder cannot see the contents of the 
packets. However extrinsic characteristics like packet size 
can be used to exchange information covertly. For example, 
a user may send his accomplice a packet of some predeter- 
mined size followed by another packet of a different size to 
exchange some information covertly. These covert channels 
are eliminated by requiring that the extrinsic characteristic 
of all packets be the same, by enforcing a fixed packet size, 
and by encrypting the packets. 

The Length (L) (or duration) of transmission. When a 
single user stiU can change some of the V, F, O and N 
parameters just by performing some local operations like 
increasing the load on the system or choosing to ignore any 
of the globally accepted parameters, then the user can create 
a covert channel to communicate with an accomplice. For 
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instance, the user may have an agreement with the accom- 
plice to vary the load on the system at a given time. When 
the transmission parameters as seen on the system change 
immediately by significant amotmts, the accomplice inter- 
prets this as a signal (the eavesdropper is assumed to be 5 
continuously monitoring the entire system and can detect 
any changes in the transmission characteristics). 

One or a combination of the parameters V, F, N, O, L can 
be used to monitor the system behavior or communication 
patterns and to compile statistical data on a communication i" 
system. The data are then used to determine "normal" or 
"baseline" system characteristics for the system. The base- 
line characteristics are those that are considered "normal" 
based upon long-term observation of the system operations 
and analysis of trafSc patterns. For example, by monitoring 15 
and gathering trafSc information for a communication sys- 
tem on a longer term, an audit trail can be constructed that 
contains information such as system load, local communi- 
cation frequencies, temporal and spatial traffic patterns. 

A database of audit trails thus constructed can be analyzed 
to determine "baseline" system conditions. A statistical 
analysis is performed if necessary. The factors that deter- 
mine "baseline" conditions for a communication system 
include one or a combination of the parameters V, F, N, O, 
L, and any other suitable parameters. 25 

When deviations in system characteristics from these 
"normal" or "baseline" conditions are observed, an audit 
may be initiated by a system administrator or any other 
suitable entity to identify and fix the source of the deviations 
or potential "faults." It is often possible to correlate an 
out-of-nortnal condition identified in a system to a specific 
problem or fault in a system. For example, a particular 
communication pattern observed can be attributed to the 
same fault. If an abrupt decrease in communication load of 
the system is observed, it might signal a network gateway 
fault, or a power shutdown. On the other hand, if there is a 
sudden increase in the load, a malevolent user might be 
flooding the system with a lot of packets, also known as 
"denial of service" attack. This kind of attack can seriously 
delay or interrupt overt communication system. 

After a list of communication patterns and their associated 
l aulls and diagnoses are compiled, it can be used as a fault 
dictionary. Comparing an observed out-of-normal commu- 
nication pattern to known fault patterns in a fauh dictionary 
aUows the system operator or maintenance crew to detect, 
diagnose and report a system fault in a facile and speedy 
manner. This allows the invention to statistically monitor the 
security characteristics of overt and covert channel traflic 
and detect system faults. 

Controlling covert channel traffic, however, further 
requires temporally neutral transmission schedules in which 
none of <V, F, O, N, L> can be used to encode information. 
To eliminate such covert channels, globally selected values 
of <V, F, O, N, L> shall remain the same for an extended 55 
period of time and a single user should be prevented from 
changing these parameters by himself. Any changes should 
be done by a negotiation process involving at least a 
majority of nodes, if not all nodes, and the changes should 
be effected in a controlled manner. go 

With the five trafBc characteristics identified above, a 
temporally neutral transmission schedule can be developed 
for an nxn neutral traflic matrix. The system proposed by the 
invention uses slotted time to transmit packets. The period 
contains n(n-l) active slots and m idle slots. 65 
To provide a spatially neutral traffic flow, the volume of 
n between each node is controlled to be same 



and the frequency and the order of transmission is prede- 
termined and is fixed for the entire duration of a cycle. FIG. 
5 shows a static transmission scheduling policy. 

In FIG. 5, the horizontal fines indicate the arrival of new 
packets, scheduling and transmission of packets. In FIG. 5, 
the slot and period sizes are predetermined and are global 
values. A period comprises the active slots where aU nodes 
are transmitting packets according to a predetermined sched- 
ule. Idle slots may change to satisfy bandwidth demands of 
the node. 

FIG. 5 shows backlog queues associated with each node 
and the arrival of rerouted packets from intermediate nodes. 
Since the traffic matrix is maintained neutral, the nodes will 
receive one packet from every other node in the system per 
period. In FIG. 5, the new arrivals and the rerouted packets 
received during period i are eligible for transmission during 
period (i+1). Nodes 1 and 4 have at least one packet in the 
buffer eligible for transmission at the beginning of period i 
and are scheduled for transmission. At the beginning of 
period i, there are no packets in the backlog buffer for nodes 
2 and 3. This implies that there were no new arrivals or 
rerouted packets for either of the nodes during the period 
(i-1) and dummy packets are generated on behalf of nodes 

2 and 3. 

FIG. 5 also shows the arrival of packets from nodes 3, 2, 
1 and 4 destined for the local node. One packet is received 
and transmitted by each node in period i. In period i, a packet 
is generated in the local node destined for node 4, routed via 
node 2. The local node then enqueues a packet on (the 
intermediate) node 2's queue and marks it "destined for 
node 4." In the next period, node 2 transmits this packet to 
the appropriate designation (node 4), shown in FIG. 5 as 4 
(via 2). The queuing of packets in the virtual queues is 
shown in dotted lines. 

In FIG. 5, the packets that arrived for node 1, 3 and 4 in 
period i are enqueued in the queues associated with nodes 1, 

3 and 4 respectively. The queue for node 4 also shows a 
packet backlogged from the previous period. The 4(via 2) 
arrival in period i enqueues a packet in the node 2's queue. 
Thus each node has at least one packet to transmit in its 
queue. 

The timing and order of transmission (4, 3, 2, 1) and the 
order of packet arrival (3, 2, 1, 4) remain the same over all 
periods. The actual order is not important and the order of 
transmission could be something as simple as round robin or 
tournament order. However, an order is selected and fol- 
lowed in aU periods of the cycle. The volume of commu- 
nication between each node is the same to satisfy the 
neutrality criterion. 

Thus, the V, F, and O restrictions of the parameter tuple 
<V, F, O, N, L> are satisfied. If the extrinsic packet char- 
acteristics such as packet size and encryption algorithm can 
be determined and fixed in a communication system, then 
the N restriction can be satisfied as well. The L restriction, 
however, is not satisfied since the nodes may change the 
number of idle slots, thereby changing L, the length 
(duration) of transmission. The purpose of the idle slots in 
file period is for the scheduling algorithm to adapt to 
variations in load and satisfy increased bandwidth require- 

An adaptive schedufing poficy can be used for a system 
with a variable number of idle slots in a period to adapt to 
long term fiuctuations in system load. FIG. 6 is an example 
of changing transmission characteristics in an adaptive 
schedufing poficy. In FIG. 6, after a sustained increase in the 
load, the nodes negotiate and decide to decrease the number 
of idle slots per period. 
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When a node or a group of nodes see a need to change the 
number of idle slots to accommodate additional traflSc, they 
initiate a negotiation process. It is possible for the nodes to 
agree upon a new number of idle slots for the future periods 
of the same cycle depending on the current load on the 5 
system. Once this parameter is decided, it remains constant 
for the duration of a cycle. 

FIG. 7 is a flow chart illustrating a node negotiating to 
change the number of idle slots. At step 701, a node sends 
a request to change the number of idle slots to a TCB 1° 
(Trusted Computing Base). In response, the TCB sends an 
acknowledgment back to the requesting node with a grant or 
a denial. If the request is granted at step 702, then the node 
proceeds to change the number of idle slots at step 705. 
Otherwise, at step 703, a determination is made as to 15 
whether the TCB offers some other number of idle slots for 
the node. If so, at step 704, the node makes a decision to 
accept the offer or decline. Otherwise, the node proceeds to 
step 701. 

If the offer from the TCB is an acceptable value to the 
node, the node proceeds to step 705 where it changes the 
number of idle slots accordingly. If not, the node proceeds 
to step 701 to send another request to the TCB. The number 
of active and idle slots (and therefore the bandwidth 
allocated) is decided by a global negotiation process in 
which all nodes participate. 

Thus, no single node can affect the active and idle slot 
times significantly without reaching a consensus with other 
nodes in the system and the potential of a single node to 
change the transmission schedule is very limited. For 
example, a user may try to change the load on a particular 
node in an attempt to change the tran.smi.ssion 
characteristics, which could be observed by the accomplice 
on the system, thus creating a covert channel. In response to 
the attempt to vary the load and create a covert channel, the 
scheduling policy initiates the global negotiation protocol to 
decide on new transmission characteristics, thus minimizing 
the effects of any single node on the transmission charac- 
teristics as well as covert channel capacity. 

The idle slot negotiation process as shown in FIG. 7 
serves only as an example, and any other global handshake 
process can be used between nodes and a TCB for the 
negotiation in alternate embodiments of the invention. 

Referring back to FIG. 6, the number of active slots in the 45 
period remains the same, but the total period length 
decreases by one slot as the negotiation decreases the 
number of idle slots from two to one, thereby increasing the 
utilization. Thus, while an adaptive scheduling policy allows 
a system to adjust to load fluctuations, it does not completely 50 
prevent changes in the length of the period L and therefore 
in the transmission characteristic. This possibility prevents 
the system from guaranteeing the L restriction in <V, F, O, 
N, L>, and leaving open the possibility of a covert channel. 

Since the negotiation for new transmission characteristics 55 
is not done frequently and is a global activity, the bandwidth 
of this covert channel is very low. Also any eventual changes 
to the transmission schedule after the negotiation process is 
due to the cumulative effects of several individual node's 
(user's) actions and view of the system and the effects of any 60 
single node on the transmission characteristics is relatively 
minor. If a node is using all its capacity and wants to increase 
its traffic to a particular node by k packets, then due to the 
neutrality criterion, it must increase its traffic by a factor of 
kn, n being an integer greater than one. Also due to the 65 
non-local effect of rerouting, traffic on other nodes are 
affected as well and there might exist some excess capacity 
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after negotiation. Therefore, the covert channel has low 
bandwidth and is very noisy. 

Nonetheless, covert channels may 
exploited by the users i 
possibifity, thus, poses a potentially serioi 
secure communication system. An effective 
dling known covert channels is to deter its 
and covert channel auditing or monitoring 
main deterrence mechanism. In the present 
channel handling policies are used based upon channel 
auditing mechanism to reduce covert channel capacity and 
prevent traffic analysis in an efficient and effective way. 

FIG. 8 shows an example of the distribution of the change 
m system communication traffic volume over one minute 
mteiNdls ohsened on ECSNET (Engineering Consulting 
Services Network), a subnet of UFNET (University of 
Florida Network). ECSNET is a 10 Mbps LAN with average 
packet size 291 bytes. The normal sustained burst volume or 
baseline volume in the system is approximately 15% for 
TCP traffic and 22% for UDP traffic under average load 
conditions. In the example shown, there are 25 nodes in 
ECSNET and the mean niunber of packets transmitted per 
minute is 884 packets. 

Two standard deviations for the distribution shown in 
FIG. 8 is a 23.95 percentage change in traffic volume. Thus, 
the threshold for auditing the communication traffic is set at 
24%, i.e., any variations in the traffic volume that is at least 
24% of the ciu-rent volume is considered out of baseHne and 
audited. However, any other niunber can be chosen as the 
threshold value as appropriate in alternate embodiments 
without departing from the scope of the invention. In the 
example of FIG. 8, a threshold value lower than 24%- can 
result in noisier channels. 

On the average, an overhead of a factor of four is 
introduced to achieve spatial and temporal system traffic 
neutrality. Thus, the number of packets exchanged per node 
per minute is 884x4=3536 packets. Since each node 
exchanges one packet with every other node in the system 
each period, there are 3536/24=147.3 periods/minute or 
0.407 seconds per period. If the slot time is 0.0005 seconds 
per slot, then there are 0.407/0.0005=814 slots per period. 
Since the niunber of active slots per period is (# of nodes)x(# 
of every other node)=(25)x(24)=600, the number of idle 
slots per period is 214 for this load condition. 

Since any variations less than ±24% is accepted as normal 
or baseline in terms of traffic volume, it translates to baseline 
traffic of 3536±849 packets per node per minute. At the 
upper bound, 3536+849=4385 packets per node per minute 
translates to 4385/24=182.71 periods per minute or 0.328 
seconds per period for 0.3284/0.0005=657 slots per period 
with 57 idle slots. Similarly, at the lower bound, 3536-849= 
2687 packets per node per minute. This yields 2687/24= 
111.958 periods per minute or 0.5359 seconds per period for 
0.5359/0.0005=1072 slots per period with 472 idle slots. 

The number of idle slots, therefore, ranges from 57 to 472, 
producing 472-57+1=416 states. This can encode log2 
416=9 bits. Thus, the capacity of this channel is 9/60=0.15 
bps when the number of idle slots is allowed to change 
anywhere from 57 to 472 without restrictions. 

However, covert channel capacity can be controlled when 
the system adopts a granularity of change of idle slots, i.e., 
fimits are put on the number of idle slots a node can change 
from the previous period. For example, if the granularity of 
change of idle slots is set at 8=±100 from the previous 
period, then out of 416 idle slot states, nodes are allowed to 
change the number of idle slots by step size of 100. Thus, for 
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8=±100, nodes are only allowed to change the number of 
idle slots by 0, 100, 200, 300, or 400, thereby generating 5 
states which are encodable by log2 5=3 bits. This yields a 
channel capacity of 3/60=0.05 bps. 

If the granularity of change of idle slots is set at 8=±50, 5 
on the other hand, nodes are allowed to change the number 
of idle slots by step size of 50, i.e., nodes are allowed to 
change the number of idle slots by 0, 50, 100, 150, 200, 250, 
300, 350, or 400, generating 9 states. Thus, for 8=±50, the 
covert communication needs 4 bits to encode the states, with 1" 
resulting capacity of 4/60=0.06 bps. 

If the granularity of change of idle slots is further reduced 
to 8=±10, then there are total of 42 states since nodes are 
allowed to change the number of idle slots by 0, 10, 20, 30, 
40, 50, 60, 70, 80, 90, 100, 110, 120, 130, 140, 150, 160, ^-"^ 
170, 180, 190, 200, 210, 220, 230, 240, 250, 260, 270, 280, 
290, 300, 310, 320, 330, 340, 350, 360, 370, 380, 390, 400, 
or 410. Covert communication requires 6 bits to encode 42 
states and this yields a channel capacity of 6/60=0.1 bps. 

Thus, the covert channel capacity can be controlled by 
changing the granularity of change of idle slots in the 
system. As another example, if the granularity of change of 
idle slots is set to be a fraction, a, of the basic number of 
slots in the period, then 8=axslots. For example, if a=0.1, 25 
then 8=0.1x814=81. The number of states for ±24% thresh- 
old can be computed as the number of idle slots is 57 at 24%, 
and 472 at -24%. Therefore, the number of states at the 
upper bound is 

30 

Likewise, at the lower bound, the number of states is 

35 

[472 - 2141 

The total number of stales then is 2+4+1=7, encoded by log2 40 
7=3 bits. This yields a channel capacity of 0.05 bps. 

Table 1 shows the covert channel capacity for a noiseless 
channel with and without handling for average load case. 
The analysis of traflBc was performed on ECSNET. 

45 

TABLE 1 

Channel Capacities for a Noiseless Channel 



Basic Load 



le ±100, Cap. bps 
le ±50, Cap. bps 
le ±10, Cap. bps 
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TABLE 1-continued 



8 = 0.1 X # slots. Cap. bps 0.05 0.05 0.05 

As can be seen in Table 1, introducing channel handling 
policies reduces the number of states to which the system 
can transition by varying the granularity of change in 
number of idle slots. With increasing granularity, the number 
of po.ssible states decreases, thereby reducing covert channel 
capacity. 

FIG. 9 shows the channel capacities for different audit- 
ability thresholds, 6. In FIG. 9, the top three curves represent 
the channel capacities for a noiseless channel without han- 
dling for minimum load, average and maximum load. As can 
be seen in FIG. 9, as the auditability threshold increases, the 
variability in the system load that is accepted as "normal" or 
"baseline" increases, leading to higher covert channel 
capacities. The lower three curves in FIG. 9 represent the 
channel capacities for a noiseless channel with handling for 
minimum, average, and maximum loads. 

The handhng pohcy of FIG. 9 uses the proportional 
handling policy where the granularity of change in the 
number of idle slots, 8, is a fraction of the basic number of 
slots in the period, i.e., 8=axslots wherein a=0.1. It is clear 
from FIG. 9 that this handling technique reduces covert 
channel capacity by more than 50% compared to the corre- 
sponding channel with no handling. 

In the preferred embodiment of the invention, auditability 
threshold, 6, determines the variation in system load that is 
accepted as "normal" or "baseline." As discussed above, this 
threshold is determined by studying the tralTic chara 
and is set to a value such that most of the v 
occur during the course of normal system operation is 
excluded from scrutiny. If the threshold is lower than 
optimal, the auditing system will experience too many 
spurious audit events, costing expensive resources and 
reducing the confidence in audit results, while a higher than 
optimal threshold can allow some potential covert channel 
communication to go undetected. 

Since aiidilabilily ihreshold, 6, determines the variation in 
system load and does not differentiate overt channels from 
covert channels, using auditability threshold, 6, allows a 
system to implement a monitoring function for overt chan- 
nels as well as for covert channels. 

In this embodiment of the invention, auditability 
threshold, 6, is determined by the system load. However, in 
alternate embodiments of the invention, as will be apparent 
to one skilled in the art, any other suitable system parameter 
or a combination of a number of parameters can be selected 
and used as an auditability threshold for monitoring system 
behavior and overt and covert channel activity. 

Although the audit thresholding technique and channel 
handling polices described above involve performance 
evaluation and analysis on ECSNET, it will be appreciated 
by one skilled in the art that the invention is applicable to 
any communication system and computer network where a 
plurality of communication nodes require protection from 
unauthorized intruders. Further, it will also be appreciated 
by one skilled in the art that the invention is not limited to 
a particular traflSc pattern, and is applicable to any traflSc 
patterns regardless of the underlying communication infra- 
structure. 
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FIG. 10 shows the effect of different handhng policies at 
different load conditions on the covert channel capacity for 
a noiseless channel. From FIG. 10, it can be seen that as the 
load increases, the covert channel capacity decreases. As the 
granularity of change in the number of idle slots increases, 
the channel capacity decreases. Also in FIG. 10, propor- 
tional handling is seen to be more effective than other simple 
handling policies. 

FIG. 11 shows the effect of granularity on covert channel 
capacity. With coarser granularity, a sender can cause a large _^ 
enough change in the system load for the number of idle 
slots to change. This improves the auditability of the channel 
and reduces the covert channel capacity. However, coarser 
granularity reduces the system responsiveness. Finer granu- 
larity allows nodes to change the load by a small fraction of ^ 
the current load and still manage to transmit a symbol. 

Considering the effect of various parameters such as the 
auditability threshold 6 and the granularity of change in the 
number of idle slots 5, a method can be developed to 
determine the value of these parameters for a desired chan- „ 
nel capacity, C. 

For a given number of nodes in the communication 
system, n, the slot time Ts, the number of idle slots in a 
period for any particular load is given by: 



where n(n-l) is the number of active slots. Once the idle slot 
range is obtained, the maximum covert channel capacity 
without handling can obtained: 



Thus, using the above relationship, the granularity of 
change in the number of idle slots can be obtained from a ^ 
desired value of the covert channel capacity C: 



logj(5 & log2(range) -Tc C, o: 



Thus, depending on the handling policy selected, the 
granularity 8 can be determined accordingly. For example, if 
the proportional handling is used, then 8=axslots, where 
slots is the total number of slots in a period. 60 

The discussion above involves noiseless channels. 
However, the present invention can be applied to noisy 
channels as well. The channel capacity for a noisy channel 
is less than the channel capacity for noiseless channels for 
corresponding trafSc loads since the 24% change in traffic 65 
volume is distributed to every node in the network. Thus the 
effective change in the traffic volume and the range of 
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the idle slots is also reduced, resulting in 
reduced channel capacity. As in the noiseless channel case, 
the channel handling policies can reduce the number of 
states to which the system can transition, thus reducing the 
maximum covert channel capacity. 

FIG. 12A is a flowchart for monitoring communication 
traffic and determining channel capacities for noiseless and 
noisy channels according to a preferred embodiment of the 
invention. Referring to FIG. 12A, at step 121, a determina- 
tion is made as to whether the monitored communication 
traffic is outside of "baseline" conditions. If so, at step 123, 
a determination is made as to whether the channel for which 
the channel capacity is calculated is a noiseless channel. If 
so, at step 124, a base load L(base) is determined by 
multiplying by an overhead factor of four. At step 125, an 
upper bound and a lower bound auditable loads are deter- 
mined from a given auditability threshold 9. At step 126, the 
numbers of idle slots are obtained for the upper bound base 
load and the lower bound base load. 

If it is determined that the channel is not a noiseless 
channel in step 123, then at step 127, a determination is 
made as to whether the channel is a noisy channel. At steps 
128, 129, and 130, as in the noiseless case, base loads and 
the numbers of idle slots are obtained for an upper and a 
lower bound cases. 

At step 131 the number of available symbols is obtained, 
from which a maximum channel capacity is obtained in step 
132. At step 133, channel capacity Q with a channel 
handling policy is obtained. At step 134, a determination is 
made as to whether the channel capacity Cg falls outside of 
"baseline" conditions. If so, covert channel may exist and 
the system security can be violated. Then, if it is desired, an 
appropriate measure can be taken to control the capacity by, 
for example, adjusting a parameter such as the granularity of 
change of idle slots at step 135. If the channel capacity Cg 
is under "baseline" conditions at step 134, the observed 
traffic characteristics and analysis are entered into an audit 
database for future use and references at step 136. 

Thus, "out-of-baseline" traffic patterns can be effectively 
monitored and controlled for noisy channels as well as for 
noiseless channels. Referring back to step 121, if the moni- 
tored communication traffic is determined to be outside of 
"baseline" conditions, it is also possible that the anomaly is 
due to a fault in the system. Then a fault detection can be 
initiated as well. FIG. 12B is a flowchart describing a fault 
detection method. At step 137, the monitored traffic char- 
acteristics are compared with known traffic patterns in a fault 
dictionary or directory to find a match. If a match is found 
in step 138, the fault can be identified and isolated so that an 
appropriate corrective action can be taken at step 139. At 
step 140, the observed traffic characteristics and their analy- 
sis are entered into the audit database for future use and 
references as in step 136. 

Thus, a method and apparatus for auditing and controlling 
overt and covert communication traffic has been described in 
conjunction with one or more specific embodiments. The 
invention is defined by the claims and their full scope of 
equivalents. 

1. A method of auditing communications traffic in a 
communications system comprising a plurality of nodes and 
a plurality of communications channels between said plu- 
rality of nodes, said method comprising the steps of: 

collecting network characteristics; 

changing a granularity of change in the number of idle 

slots to change said network characteristics; and 
repeating at predefined intervals. 
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2. The method of claim 1 wherein said cc 
characteristics comprise a covert channel capacity. 

3. The method of claim 1 wherein said granularity of 
change is based on communication load of said communi- 
cation system. 5 

4. A method of auditing communications traflBc in a 
communications system comprising a plurality of nodes and 
a plurality of communications channels between said plu- 
rality of nodes, said method comprising the steps of: 

collecting network characteristics; and lo 
repeating at predefined intervals, 

wherein said communication system further comprises a 
trusted computing base (TCB). 

5. A method of controlling a commtmication system 
comprising a plurality of communication channels, said 
method comprising: 

using a threshold to specify a "baseline" range of said 

communication system; 
monitoring said threshold to detect said communication 20 

system falUng outside of said "baseline" range; 
using a parameter to change said communication system's 

characteristic. 

6. The method of claim 5 wherein said threshold comes 
from a fault dictionary. 25 

7. The method of claim 5 wherein said threshold com- 
prises a communication system load. 
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8. The method of claim 5 wherein said threshold is based 
on V (volume), F (frequency), N (nature), O (order), and L 
(length) of communication. 

9. The method of claim 8 further comprising the step of 
controUing V, F, O, N and L parameters. 

10. The method of claim 5 wherein said communication 
system's characteristic is a channel capacity. 

11 . The method of claim 10 wherein said channel capacity 
comprises a covert channel capacity. 

12. The method of claim 10 wherein a communication on 
said plurality of communication channels comprises trans- 
mission slots during which a packet can be transmitted or 
received. 

13. The method of claim 12 wherein said slots comprise 
active slots and idle slots. 

14. The method of claim 13 wherein said parameter is a 
granularity of change in the number of idle slots. 

15. The method of claim 5 wherein said communication 
system further comprises a trusted computing base (TCB). 

16. The method of claim 15 wherein said step of changing 
said parameter comprises the steps of: 

sending a request to change the value of said parameter to 
said TCB; 

changing said parameter to a new value when said TCB 
approves the new value. 



